Virtual servers connected to a virtual network run inside this virtual environment. All of this is connected to the traditional physical infrastructure. It can be challenging to manage the traffic between the virtual environment and the physical environment, but the real difficulty is that some of this traffic never leaves the virtual environment, which creates a hole in the network perimeter.

How does traffic between virtual hosts that doesn't leave the virtualization server constitute a "hole" in the perimeter? Not all internal traffic needs to route through a gatekeeper, for the sake of all that is holy.

ZAZ:I remember way back when we didn't have firewalls. NAT hadn't been invented because addresses were abundant and free for the taking. The box on my desk was visible to the world.

At my office, I just give all our servers and desktops a public IP and skip the whole internal/external network thing. It's easier for everyone. I also just gave everyone Admin rights to their own systems. Talk about a time saver for my desktop support guys. Now the users can install anything they want. Just skip the middleman, you know?

pudding7:ZAZ: I remember way back when we didn't have firewalls. NAT hadn't been invented because addresses were abundant and free for the taking. The box on my desk was visible to the world.

At my office, I just give all our servers and desktops a public IP and skip the whole internal/external network thing. It's easier for everyone. I also just gave everyone Admin rights to their own systems. Talk about a time saver for my desktop support guys. Now the users can install anything they want. Just skip the middleman, you know?

You joke, but at my old job we had a corporate requirement to run this proprietary program. The program is an absolute piece of shiat that REQUIRES users to have local admin privileges to run.

My boss understood why this was an absolute travesty, but unfortunately we just don't have a choice.

pudding7:ZAZ: I remember way back when we didn't have firewalls. NAT hadn't been invented because addresses were abundant and free for the taking. The box on my desk was visible to the world.

At my office, I just give all our servers and desktops a public IP and skip the whole internal/external network thing. It's easier for everyone. I also just gave everyone Admin rights to their own systems. Talk about a time saver for my desktop support guys. Now the users can install anything they want. Just skip the middleman, you know?

Not only is it a time saver it'll save tons of money because if every one has admin rights on their machines we won't even need a support staff!

Um, doesn't that magic box on my desk with the password and the antenna on it act as a firewall? I'm pretty sure it manages incoming connections and doesn't let just any strange traffic stick its unsolicited dirty dick into my computer.

Desquamation:pudding7: ZAZ: I remember way back when we didn't have firewalls. NAT hadn't been invented because addresses were abundant and free for the taking. The box on my desk was visible to the world.

At my office, I just give all our servers and desktops a public IP and skip the whole internal/external network thing. It's easier for everyone. I also just gave everyone Admin rights to their own systems. Talk about a time saver for my desktop support guys. Now the users can install anything they want. Just skip the middleman, you know?

Not only is it a time saver it'll save tons of money because if every one has admin rights on their machines we won't even need a support staff!

We've had clueless VPs pitch this idea almost word for word.

For sake of analogy, let's say a desktop is a car. There are people who can work on their own cars, there are people who can't, and there are people in the middle who are mostly alright on their own but need help with more advanced tasks. With me so far? Alright, you're the guy going, "Yesterday, I saw a guy trying to air up his own tires! Ahaha, can you believe it? He wasn't even an expert!"

/it's possible to provide security without f*cking over the entire user base//95% of IT "professionals" don't understand how to do this

All that means is there is only 5% of IT professionals who aren't sick of your sh*t yet. Network administration on any level from ISPs on down is a balancing act of delivering service while limiting customers' ability to shoot themselves in the foot.

No Such Agency:Um, doesn't that magic box on my desk with the password and the antenna on it act as a firewall? I'm pretty sure it manages incoming connections and doesn't let just any strange traffic stick its unsolicited dirty dick into my computer.

No, it manages incoming connections but, by default, does not block strange traffic. There's firmware/software on it that ALLOWS YOU to block strange traffic, but it doesn't do that vanilla out-of-the-box.

ProfessorOhki:Desquamation: pudding7: ZAZ: I remember way back when we didn't have firewalls. NAT hadn't been invented because addresses were abundant and free for the taking. The box on my desk was visible to the world.

At my office, I just give all our servers and desktops a public IP and skip the whole internal/external network thing. It's easier for everyone. I also just gave everyone Admin rights to their own systems. Talk about a time saver for my desktop support guys. Now the users can install anything they want. Just skip the middleman, you know?

Not only is it a time saver it'll save tons of money because if every one has admin rights on their machines we won't even need a support staff!

We've had clueless VPs pitch this idea almost word for word.

For sake of analogy, let's say a desktop is a car. There are people who can work on their own cars, there are people who can't, and there are people in the middle who are mostly alright on their own but need help with more advanced tasks. With me so far? Alright, you're the guy going, "Yesterday, I saw a guy trying to air up his own tires! Ahaha, can you believe it? He wasn't even an expert!"

And now you're the guy going "Why do we need mechanics? All they do is talk everybody down, and there are people who can fix their own cars. Never mind the majority of them couldn't fix the engine without outright replacing it, and would probably need at least one spare one if they farked up getting the first one in right."

s1ugg0:MasterAdkins: There is so much wrong with that article I don't know where to start.

This.

SacriliciousBeerSwiller: Yay. More ways for the IT department to get in the way of productivity.

/it's possible to provide security without f*cking over the entire user base//95% of IT "professionals" don't understand how to do this

All that means is there is only 5% of IT professionals who aren't sick of your sh*t yet. Network administration on any level from ISPs on down is a balancing act of delivering service while limiting customers' ability to shoot themselves in the foot.

ProfessorOhki:"Yesterday, I saw a guy trying to air up his own tires! Ahaha, can you believe it? He wasn't even an expert!"

Let's put a real world spin on your example. The next 75 people try to put in air in their tires through by blowing it up the tail pipe. And when you tried to help them half of them go "But it looked so easy" and the other half replied "I know about computers and stuff I own an iPad". And 100% of them are belligerent in their ignorance and will be damned to hell before they'll actually admit to you what they were trying to do.

Want to get pleasant, helpful answers out of a NOC tech do the following:-Explain what you were trying to do.-Explain what you expected to happen.-Explain what actually happened.

Do that every time and you'll get an honest answer and more times than not a solution within 5 to 10 minutes. Lie in anyway and it just adds time and frustration to the troubleshooting.

Brother, I just spent 2 hours trying to explain to a guy that a T1 cross over cable is not an Ethernet cross over cable. And he was the Director of IT for a multi-million dollar company. First round is on me.

friday13:No Such Agency: Um, doesn't that magic box on my desk with the password and the antenna on it act as a firewall? I'm pretty sure it manages incoming connections and doesn't let just any strange traffic stick its unsolicited dirty dick into my computer.

No, it manages incoming connections but, by default, does not block strange traffic. There's firmware/software on it that ALLOWS YOU to block strange traffic, but it doesn't do that vanilla out-of-the-box.

ProfessorOhki: Desquamation: pudding7: ZAZ: I remember way back when we didn't have firewalls. NAT hadn't been invented because addresses were abundant and free for the taking. The box on my desk was visible to the world.

At my office, I just give all our servers and desktops a public IP and skip the whole internal/external network thing. It's easier for everyone. I also just gave everyone Admin rights to their own systems. Talk about a time saver for my desktop support guys. Now the users can install anything they want. Just skip the middleman, you know?

Not only is it a time saver it'll save tons of money because if every one has admin rights on their machines we won't even need a support staff!

We've had clueless VPs pitch this idea almost word for word.

For sake of analogy, let's say a desktop is a car. There are people who can work on their own cars, there are people who can't, and there are people in the middle who are mostly alright on their own but need help with more advanced tasks. With me so far? Alright, you're the guy going, "Yesterday, I saw a guy trying to air up his own tires! Ahaha, can you believe it? He wasn't even an expert!"

And now you're the guy going "Why do we need mechanics? All they do is talk everybody down, and there are people who can fix their own cars. Never mind the majority of them couldn't fix the engine without outright replacing it, and would probably need at least one spare one if they farked up getting the first one in right."

Yes; that is exactly what I said. You sound bitter and by bitter, I mean like a sysadmin.

s1ugg0:Brother, I just spent 2 hours trying to explain to a guy that a T1 cross over cable is not an Ethernet cross over cable. And he was the Director of IT for a multi-million dollar company. First round is on me.

How does traffic between virtual hosts that doesn't leave the virtualization server constitute a "hole" in the perimeter? Not all internal traffic needs to route through a gatekeeper, for the sake of all that is holy.

Not to defend the article (because it's garbage), but if you have multiple zones within a single virtual host, the host itself can bridge the zones without going through FW/IDS/other network monitoring stuffs.

Take your typical three layer approach...internet facing system talks through firewall to middle tier system, which in turn talks through another firewall into a database layer system...if you virutalize all three on the same host platform, mistakes made by admins (or outright on purpose) can send the traffic straight from the internet facing system to the database system completely bypassing the middle tier and never exposing the traffic to any kind of filter/ids/etc.

So yeah, the point stands. Traffic between virtual hosts can constitute a hole in the perimeter...or at least in several typically internal perimeters.

s1ugg0:ProfessorOhki: "Yesterday, I saw a guy trying to air up his own tires! Ahaha, can you believe it? He wasn't even an expert!"

Let's put a real world spin on your example. The next 75 people try to put in air in their tires through by blowing it up the tail pipe. And when you tried to help them half of them go "But it looked so easy" and the other half replied "I know about computers and stuff I own an iPad". And 100% of them are belligerent in their ignorance and will be damned to hell before they'll actually admit to you what they were trying to do.

Why would they bring up computers and iPads while trying to air up their tires? That doesn't make any sense at all.

Seriously though, I feel for those who have to deal with an onslaught of moronic users. However, I also feel for the competent users who have to put up with arrogant IT staff.

Brother, I just spent 2 hours trying to explain to a guy that a T1 cross over cable is not an Ethernet cross over cable. And he was the Director of IT for a multi-million dollar company. First round is on me.

And this is why most people don't like the IT guy.

Brother, I just reminded a fellow farker that Director level positions don't need to have a technical degree of knowledge in what they are doing. That's what the admins and engineers are for.

Anybody who thinks a firewall and a router are the same thing has never worked on either of those two types of gear that are of a respectable scale.

Sure, you can take a router and put some ACL's on it, but that's not even a percentage of what an actual firewall does.

I mean, you bought a 4 port Linksys router/switch. That's JUST like working on a Cisco 6513 or a Juniper 8126, right?

Most days, I REALLY wish network engineering required a state license. You have to get a license to push the cuticles back on people's toe nails, but any random buttfarker can legally work on mission critical systems like the cell phone network.

ProfessorOhki:Desquamation: pudding7: ZAZ: I remember way back when we didn't have firewalls. NAT hadn't been invented because addresses were abundant and free for the taking. The box on my desk was visible to the world.

At my office, I just give all our servers and desktops a public IP and skip the whole internal/external network thing. It's easier for everyone. I also just gave everyone Admin rights to their own systems. Talk about a time saver for my desktop support guys. Now the users can install anything they want. Just skip the middleman, you know?

Not only is it a time saver it'll save tons of money because if every one has admin rights on their machines we won't even need a support staff!

We've had clueless VPs pitch this idea almost word for word.

For sake of analogy, let's say a desktop is a car. There are people who can work on their own cars, there are people who can't, and there are people in the middle who are mostly alright on their own but need help with more advanced tasks. With me so far? Alright, you're the guy going, "Yesterday, I saw a guy trying to air up his own tires! Ahaha, can you believe it? He wasn't even an expert!"

I was having a bad day at work and started complaining about users. So my boss goes "You know, your mechanic doesn't rip on you because you don't know anything about cars!" to which I replied "He would if I had been back to the garage 10 times because filling it up with gas kept confusing me!".

dognose4:s1ugg0:Brother, I just spent 2 hours trying to explain to a guy that a T1 cross over cable is not an Ethernet cross over cable. And he was the Director of IT for a multi-million dollar company. First round is on me.

Dognose, you're talking about 2 seperate layers of the OSI model. I agree with you, though, that T1 is an older spec. You find those with co's that have lots of widely dispersed small offices or points of sale. Think Dollar General. The new hotness is Layer 3 VPN over MPLS networks. Metro-ethernet is a big initiative too, for companies that aren't doing it yet.

ProfessorOhki:s1ugg0: ProfessorOhki: "Yesterday, I saw a guy trying to air up his own tires! Ahaha, can you believe it? He wasn't even an expert!"

Let's put a real world spin on your example. The next 75 people try to put in air in their tires through by blowing it up the tail pipe. And when you tried to help them half of them go "But it looked so easy" and the other half replied "I know about computers and stuff I own an iPad". And 100% of them are belligerent in their ignorance and will be damned to hell before they'll actually admit to you what they were trying to do.

Why would they bring up computers and iPads while trying to air up their tires? That doesn't make any sense at all.

Seriously though, I feel for those who have to deal with an onslaught of moronic users. However, I also feel for the competent users who have to put up with arrogant IT staff.

I don't know if it's the kids who grew up knowing everything there is to know about computers or if it's the old guys tired of people running across their lawns but professionalism in IT has taken a hit.

A more recent trend is virtualization. Boxes running virtual environments contain multiple virtual machines inside of it. Virtual servers connected to a virtual network run inside this virtual environment. All of this is connected to the traditional physical infrastructure. It can be challenging to manage the traffic between the virtual environment and the physical environment, but the real difficulty is that some of this traffic never leaves the virtual environment, which creates a hole in the network perimeter.

I think this is going to be the future of computing, or at least an option for some people. As network speeds continue to improve, why not push all your computing to "the cloud" (I hate that term, BTW). You'll essentially rent storage space and pay for processing speed. Virtualize everything. All a user would have to worry about would be the display/terminal whatever you need to interact with your VM.

Not fond of the idea myself, but thats where it seems to be headed, even for home computing.

Being old school and really deep in large scale networking still, I have to come out squarely AGAINST cloud initiative.

Cisco is trying to cram it down everybody's throat because it's going to take quite a bit of hardware upgrades to make it worth a shiat.

At the end of they day, though, you're taking the keys to your kingdom, all your eggs, the baby, the bathwater, and your girlfriend's diaphragm and putting it in a box to send down the road to a 3rd party. You have an SLA with them and that's all cool, but an SLA won't stop things like an a-hole with a digger cutting the fiber to their facility or yours. An SLA won't stop rogue administrators from digging around unbeknownst to you. An SLA won't get all of your mission critical data back to your widget makers so you can keep making that all important cash.

socodog:Being old school and really deep in large scale networking still, I have to come out squarely AGAINST cloud initiative.

Cisco is trying to cram it down everybody's throat because it's going to take quite a bit of hardware upgrades to make it worth a shiat.

At the end of they day, though, you're taking the keys to your kingdom, all your eggs, the baby, the bathwater, and your girlfriend's diaphragm and putting it in a box to send down the road to a 3rd party. You have an SLA with them and that's all cool, but an SLA won't stop things like an a-hole with a digger cutting the fiber to their facility or yours. An SLA won't stop rogue administrators from digging around unbeknownst to you. An SLA won't get all of your mission critical data back to your widget makers so you can keep making that all important cash.

Spot on.

And good luck getting a Google or an Amazon to sign an agreement that they will be responsible for the security of your data. An SLA is one thing...but something that gets through an FFIEC visit? Not a chance.

Banks, hospitals, etc...anyone with any responsibility in protecting other people's information will be taking a nose dive off a high cliff into a shallow river when they move their stuff out to "The Cloud".

dognose4:s1ugg0:Brother, I just spent 2 hours trying to explain to a guy that a T1 cross over cable is not an Ethernet cross over cable. And he was the Director of IT for a multi-million dollar company. First round is on me.

s1ugg0:dognose4: s1ugg0:Brother, I just spent 2 hours trying to explain to a guy that a T1 cross over cable is not an Ethernet cross over cable. And he was the Director of IT for a multi-million dollar company. First round is on me.

You'd be surprised. Anything with a 4 hour commit for repair looks real appealing to customers who value up time. And you can do all sorts of fun things with them.

I saw a commercial for a co-location facility that promised 100% up time. I'm in IT and unless I'm missing something, I can't see how that is possible. Unless they're rocking multiple redundancies for every client across multiple physical servers can anyone tell me how that's possible? For that matter, you'd have to have multiple redundancies across many forms of tech. UPS devices, being served by multiple ISP's simultaneously, etc. I guess reading back on this now it is TECHNICALLY possible, but you'd have to double or triple up on your ENTIRE setup to guarantee that. And even then, it's not 100%.

s1ugg0:ProfessorOhki: "Yesterday, I saw a guy trying to air up his own tires! Ahaha, can you believe it? He wasn't even an expert!"

Let's put a real world spin on your example. The next 75 people try to put in air in their tires through by blowing it up the tail pipe. And when you tried to help them half of them go "But it looked so easy" and the other half replied "I know about computers and stuff I own an iPad". And 100% of them are belligerent in their ignorance and will be damned to hell before they'll actually admit to you what they were trying to do.

Want to get pleasant, helpful answers out of a NOC tech do the following:-Explain what you were trying to do.-Explain what you expected to happen.-Explain what actually happened.

Do that every time and you'll get an honest answer and more times than not a solution within 5 to 10 minutes. Lie in anyway and it just adds time and frustration to the troubleshooting.

THIS. I cannot "THIS" this post hard enough. Sing it from every mountaintop. Preach it in every church. Teach it in every school.

Brother, I just spent 2 hours trying to explain to a guy that a T1 cross over cable is not an Ethernet cross over cable. And he was the Director of IT for a multi-million dollar company. First round is on me.

Y'know what's REALLY sad? Those memories are from when I was just a low-level helpdesk guy in college. I knew pretty much jack about networks then (as now), but I still knew the kind of work that was required by the people that do, and had to explain the basics of it to people on pretty much a daily basis.

unicron702:s1ugg0: dognose4: s1ugg0:Brother, I just spent 2 hours trying to explain to a guy that a T1 cross over cable is not an Ethernet cross over cable. And he was the Director of IT for a multi-million dollar company. First round is on me.

You'd be surprised. Anything with a 4 hour commit for repair looks real appealing to customers who value up time. And you can do all sorts of fun things with them.

I saw a commercial for a co-location facility that promised 100% up time. I'm in IT and unless I'm missing something, I can't see how that is possible. Unless they're rocking multiple redundancies for every client across multiple physical servers can anyone tell me how that's possible? For that matter, you'd have to have multiple redundancies across many forms of tech. UPS devices, being served by multiple ISP's simultaneously, etc. I guess reading back on this now it is TECHNICALLY possible, but you'd have to double or triple up on your ENTIRE setup to guarantee that. And even then, it's not 100%.

And PLEASE don't get me started on BYOD. That's the most farked up plan I've ever heard of.

ALL gear that connects to the network needs to be owned by the organization.

I don't give a shiat what cool thing you read about in the magazine on the airplane. Write a valid business reason why you need it. Get it pushed through IT for security and viability testing. Follow up with your boss to get him to write a PO, and have the purchasing group buy the GD thing.

friday13:unicron702: s1ugg0: dognose4: s1ugg0:Brother, I just spent 2 hours trying to explain to a guy that a T1 cross over cable is not an Ethernet cross over cable. And he was the Director of IT for a multi-million dollar company. First round is on me.

You'd be surprised. Anything with a 4 hour commit for repair looks real appealing to customers who value up time. And you can do all sorts of fun things with them.

I saw a commercial for a co-location facility that promised 100% up time. I'm in IT and unless I'm missing something, I can't see how that is possible. Unless they're rocking multiple redundancies for every client across multiple physical servers can anyone tell me how that's possible? For that matter, you'd have to have multiple redundancies across many forms of tech. UPS devices, being served by multiple ISP's simultaneously, etc. I guess reading back on this now it is TECHNICALLY possible, but you'd have to double or triple up on your ENTIRE setup to guarantee that. And even then, it's not 100%.

I'd think at that point it'd be prohibitvely expensive.

Thinking the same thing. Also, imagine doing all of that and your failover system doesn't work when needed?

unicron702:friday13: unicron702: s1ugg0: dognose4: s1ugg0:Brother, I just spent 2 hours trying to explain to a guy that a T1 cross over cable is not an Ethernet cross over cable. And he was the Director of IT for a multi-million dollar company. First round is on me.

You'd be surprised. Anything with a 4 hour commit for repair looks real appealing to customers who value up time. And you can do all sorts of fun things with them.

I saw a commercial for a co-location facility that promised 100% up time. I'm in IT and unless I'm missing something, I can't see how that is possible. Unless they're rocking multiple redundancies for every client across multiple physical servers can anyone tell me how that's possible? For that matter, you'd have to have multiple redundancies across many forms of tech. UPS devices, being served by multiple ISP's simultaneously, etc. I guess reading back on this now it is TECHNICALLY possible, but you'd have to double or triple up on your ENTIRE setup to guarantee that. And even then, it's not 100%.

I'd think at that point it'd be prohibitvely expensive.

Thinking the same thing. Also, imagine doing all of that and your failover system doesn't work when needed?

Admittedly, that'd be a rare occurence, but when it DID happen, you'd be down for days, if not weeks, trying to find exactly what happened.

friday13:unicron702: friday13: unicron702: s1ugg0: dognose4: s1ugg0:Brother, I just spent 2 hours trying to explain to a guy that a T1 cross over cable is not an Ethernet cross over cable. And he was the Director of IT for a multi-million dollar company. First round is on me.

You'd be surprised. Anything with a 4 hour commit for repair looks real appealing to customers who value up time. And you can do all sorts of fun things with them.

I saw a commercial for a co-location facility that promised 100% up time. I'm in IT and unless I'm missing something, I can't see how that is possible. Unless they're rocking multiple redundancies for every client across multiple physical servers can anyone tell me how that's possible? For that matter, you'd have to have multiple redundancies across many forms of tech. UPS devices, being served by multiple ISP's simultaneously, etc. I guess reading back on this now it is TECHNICALLY possible, but you'd have to double or triple up on your ENTIRE setup to guarantee that. And even then, it's not 100%.

I'd think at that point it'd be prohibitvely expensive.

Thinking the same thing. Also, imagine doing all of that and your failover system doesn't work when needed?

Admittedly, that'd be a rare occurence, but when it DID happen, you'd be down for days, if not weeks, trying to find exactly what happened where.